Plain-English summary
SpotRivals watches the public-facing pages your competitors publish and emails you a brief on Monday morning about what changed. To do that, we need three things from you and we ask for nothing else.
- What we ask for. Your work email, the competitor URLs you want us to watch, and a payment method when the 14-day free trial ends. Optionally, your display name and company name. That is it.
- What we do not do. No advertising trackers, no session replay, no cross-site fingerprinting, no selling data, no LLM training on your inputs.
- Where the data lives. A single server in the European Union. Backups encrypted at rest, deleted on a 35-day rolling window.
- Who else sees it. Five sub-processors: Stripe, Anthropic, Resend, Sentry, and our hosting provider. Each is scoped to one job and listed in the sub-processors section with what they do.
- How to leave. Export everything as JSON or CSV from Settings. Account deletion wipes us within 30 days. We email you when it is done.
SpotRivals is a competitive-intelligence service that monitors competitor websites for small businesses. This policy describes the personal data we collect from people who use the marketing site, the dashboard, and the weekly digest emails, and what we do with it.
Who we are#
SpotRivals is a competitor-monitoring service operated by a besloten vennootschap (BV) registered in the Netherlands, KvK 77807049. Full entity identification is on the Legal information page. Where this policy says us, we, or the company, it means that entity.
We are the data controller for personal data we collect about you when you visit our marketing site, sign up for an account, or use the dashboard. We are a data processor for the URLs and competitor data you enter into the product on behalf of your business.
We have not appointed a Data Protection Officer. Under Article 37 GDPR a DPO is required only where the core activities involve large-scale processing of special-category data or large-scale regular and systematic monitoring of data subjects, and SpotRivals does neither. For any privacy matter, contact privacy@spotrivals.com; replies within one business day.
What we collect#
Three categories. Nothing in a fourth.
Account data: what you give us
When you sign up, we ask for:
- Work email
- Used for login, the weekly Monday digest, and account notifications. Required.
- Password
- Stored as a salted, one-way hash by WordPress core. We cannot read it. If you forget it we can only let you reset it.
- Display name
- Shown in the dashboard header. Optional. You can use a pseudonym.
- Company name
- Used to address the weekly brief and on the invoice. Optional.
- Billing details
- Card data is collected and stored by Stripe. We receive only the last four digits, the brand, the country, and the invoice address.
Product data: what you enter
The competitor names and URLs you ask us to watch, any notes you attach to a competitor or change, and the on/off state of the alert and digest preferences in your account. We do not infer anything beyond what you typed.
Operational data: what your browser sends
Your IP address (used to rate-limit the API and to protect login), the user-agent string, the page you came from, and the timestamps of significant actions (login, add competitor, click a digest link). We do not use a third-party analytics SDK in the product or on the marketing site.
Why we collect it#
Each piece of data above is collected to do one of four things:
- Run the service you signed up for. Log you in, scrape the URLs you added, send the Monday digest, render the dashboard, charge the card.
- Keep it secure. Rate-limit the API, detect credential-stuffing, recover compromised accounts.
- Improve it slowly and on purpose. See what is used, what is not, where people get stuck. Aggregated, never individual.
- Comply with law. Invoicing, VAT records, lawful requests we cannot refuse.
We do not collect data to sell, to retarget, or to train a foundation model.
Legal bases (for EU/UK readers)
- Contract for the operations needed to deliver the service.
- Legitimate interests for security and product improvement; our interest is keeping the product safe and useful and we do not think it overrides yours.
- Legal obligation for invoicing, tax records, and lawful requests.
What we do not track#
This list is unusually specific because the absence of a thing is hard to prove. If you find any of this in our pages or product, it is a bug. Please tell us.
- No Google Analytics, no Google Tag Manager, no Google Ads conversion tags.
- No Meta Pixel, no LinkedIn Insight Tag, no TikTok pixel, no X conversion tag.
- No session replay (no Hotjar, FullStory, LogRocket, Mouseflow, Clarity).
- No cross-site cookies. Our auth cookie is first-party,
SameSite=Lax, and short-lived. - No device fingerprinting beyond a coarse user-agent string for browser-compat purposes.
- No reading or training on the textual content you enter into your dashboard, beyond the AI-analysis pass that is part of the product itself.
Automated decision-making#
SpotRivals runs an AI analysis pass on each detected change to your competitors’ pages. The AI generates a strategic-impact reading and a recommended action. This processing analyses business data (the URLs you ask us to watch and the change descriptions our scrapers produce); it does not analyse personal data about you, and the output never produces legal effects or similarly significant effects on you within the meaning of Article 22 GDPR. We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. The full disclosure of how AI is used in the service lives in our AI use policy.
Sub-processors#
Five vendors, each scoped to a single job:
| Sub-processor | What it does | Data touched | Region |
|---|---|---|---|
|
Stripe
Stripe Payments Europe, Ltd.
|
Subscription billing, card processing, invoicing, VAT IDs. | Email, name, billing address, card details (we never see the full card). | EU US |
|
Anthropic
Anthropic PBC
|
Claude AI analysis of detected page changes (zero-retention contract). | Public competitor page diff text. No account identifiers. Not retained for training. | US |
|
Resend
Resend, Inc.
|
Sending the weekly Monday digest, instant alerts, and transactional emails (login, receipts). | Email, display name, message body. | US |
|
Sentry
Functional Software, Inc.
|
Error monitoring. Captures stack traces and request context when something breaks server-side. | IP address, user-agent, the URL where the error happened, optionally the user ID. No request bodies. | EU |
|
Hetzner
Hetzner Online GmbH
|
Application hosting, database, file storage, scheduled scrapers. Single VPS in the EU. | Everything in the Privacy policy categories: account, product, operational. | EU |
How long we keep it#
- Account data
- While your account is active, plus 30 days after deletion (then purged).
- Product data (competitor list, change history)
- For the lifetime of the account; on deletion, removed from primary stores within 30 days and from backups within 35 days.
- AI analysis output (the briefs)
- Stored alongside the change that triggered them. Same retention as product data.
- Operational logs
- 90 days. Security incident logs may be kept longer if there is an active investigation.
- Billing records
- 7 years, for Dutch tax compliance. Limited to invoice metadata. Not the contents of your dashboard.
- Anonymous aggregates
- Indefinitely, but they do not identify you.
Your rights#
Wherever you live, you can:
- See what we have on you. Settings → Data → “Export.” JSON and CSV; full account contents in under five minutes.
- Correct it. Most fields are editable in-product. For the rest, email us.
- Delete it. Settings → Data → “Delete account.” We email you when the deletion is complete.
- Object to a specific use. See the sub-processors section in particular.
- Take it elsewhere. The export is yours. We will help you import it into a competitor product on request.
EU/UK readers also have the right to complain to a supervisory authority. The Dutch DPA (Autoriteit Persoonsgegevens) is ours, at autoriteitpersoonsgegevens.nl; you can also complain to your home authority. California readers have the rights enumerated in the CCPA/CPRA, exercisable through the same in-product controls.
Requests are handled within 30 days. We do not charge for them and we do not ask you to fill out a form.
International transfers#
Our application, database, and backups are in the European Union. The personal data that does leave the EEA is sent to:
- Anthropic (US) for the Claude AI analysis pass.
- Resend (US) for sending the weekly digest and other transactional email.
- Stripe (US) for card processing fallback when the EU entity routes to a US one.
Where personal data leaves the EEA, the transfer is covered by Standard Contractual Clauses with each sub-processor and, for the US, by the EU-US Data Privacy Framework certifications held by Stripe, Resend, and Anthropic. The list and our SCC packs are available on request from legal@spotrivals.com.
Children#
SpotRivals is a B2B product. We do not market to anyone under 16, the dashboard is built for people running businesses, and we do not knowingly collect personal data from anyone under 16. If we learn we have, we delete it.
Changes to this policy#
We update this policy when the product changes in a way that affects what data is collected or how it is used. The version number at the top increments and we email every account owner at least 14 days before any change that materially expands what we collect.
Contact for any privacy matter: privacy@spotrivals.com.
Questions about your data?
The fastest answer is from the human who wrote this page. Email privacy@spotrivals.com. We reply within one business day.